Skip to content
Commits on Jan 28, 2013
  1. @tenderlove

    bumping to 3.0.20

    tenderlove committed Jan 28, 2013
  2. @NZKoz @tenderlove

    Add an OkJson backend and remove the YAML backend

    Fixes CVE-2013-0333.  The ActiveSupport::JSON::Backends::Yaml class is present but the functionality has been removed entirely.
    NZKoz committed with tenderlove Jan 24, 2013
Commits on Jan 27, 2013
  1. @carlosantoniodasilva

    Fix failing test related to escaping include_blank in select_tag

    Rails 3.0.x doesn't have the :prompt option in select_tag, it was
    introduced in c5d54be that is only
    available from 3.1.x on.
    
    The test and related fix were introduced in
    c979587 for Rails 3.0.17, as a fix for
    a security vulnerability. The code is completely fine but the test was
    using the invalid :prompt option for this version, probably because it
    was cherry-picked from other branch which has the option.
    carlosantoniodasilva committed Jan 26, 2013
Commits on Jan 26, 2013
  1. @carlosantoniodasilva

    Remove obsolete rake/rdoctask require

    Requiring this now raises a RuntimeError, failing the test.
    It also seems that the require is unnecessary to pass the test.
    carlosantoniodasilva committed Jan 26, 2013
  2. @carlosantoniodasilva

    Update failing tests overriding destroy method instead of using mocha…

    … expectation
    
    Mocha by default does not allow adding expectation to frozen objects,
    just applying a workaround to ensure the method is never called, making
    the tests pass without enabling this again in mocha.
    carlosantoniodasilva committed Jan 26, 2013
  3. @kennyj @carlosantoniodasilva
  4. @dmathieu @carlosantoniodasilva
  5. @carlosantoniodasilva
  6. @carlosantoniodasilva
  7. @carlosantoniodasilva
Commits on Jan 16, 2013
  1. @rafaelfranca

    Merge pull request #8872 from freerange/3-0-stable-with-mocha-fixes

    Fix 3-0-stable to work with Mocha >= v0.13.0
    rafaelfranca committed Jan 16, 2013
  2. @floehopper

    Fix 3-0-stable to work with Mocha >= v0.13.0

    A) Update code in ActiveSupport which monkey-patches Test::Unit to
    include Mocha bug fix.
    
    A bug was fixed [1] in Mocha's integration with Test::Unit, but this
    monkey-patching code was copied before the fix. We need to copy the
    fixed version.
    
    The bug meant that an unexpected invocation against a mock within the
    teardown method caused a test *error* and not a test *failure*.
    
    B) Fix for Test::Unit/Mocha compatibility.
    
    Mocha is now using a single AssertionCounter which needs a reference to
    the testcase as opposed to the result.
    
    This change is an unfortunate consequence of the copying of a chunk of
    Mocha's internal code in order to monkey-patch Test::Unit.
    
    C) Avoid a Mocha deprecation warning.
    
    [1]
    freerange/mocha@f1ff647#diff-5
    commit 0591f6d 1 parent 8b3109a
    floehopper committed Aug 26, 2012
Commits on Jan 12, 2013
  1. @pixeltrix
Commits on Jan 11, 2013
  1. @jeremy

    Merge pull request #8890 from dylanahsmith/3-0-parse-non-object-json-…

    …params
    
    3-0-stable: Fix JSON params parsing regression for non-object JSON content.
    jeremy committed Jan 10, 2013
  2. @dylanahsmith
Commits on Jan 10, 2013
  1. @carlosantoniodasilva
Commits on Jan 9, 2013
  1. @carlosantoniodasilva

    Merge pull request #8853 from zmoazeni/3-0-xml-serialization-fix

    Methods that return nil should not be considered YAML
    carlosantoniodasilva committed Jan 9, 2013
  2. @zmoazeni

    Methods that return nil should not be considered YAML

    This is a direct port of @jaw6's pull request
    #492. His cleanly applied to Rails
    v3.1 and v3.2, and this cleanly applies to v3.0.
    
    With yesterday's security patches
    http://weblog.rubyonrails.org/2013/1/8/Rails-3-2-11-3-1-10-3-0-19-and-2-3-15-have-been-released/
    there is now an issue with Rails v3.0 serving XML to any of the latest
    versions of ActiveResource.
    
    Without this, Rails v3.0 can serve XML to ActiveResource consumers that
    will see `Hash::DisallowedType: Disallowed type attribute: "yaml"`
    zmoazeni committed Jan 9, 2013
  3. @carlosantoniodasilva

    Merge pull request #8836 from sikachu/3-0-stable-fix-ars

    Remove test for XML YAML parsing
    carlosantoniodasilva committed Jan 8, 2013
  4. @sikachu

    Remove test for XML YAML parsing

    The support for YAML parsing in XML has been removed from Active Support
    since it introduced an security risk. See a494824 for more detail.
    sikachu committed Jan 8, 2013
Commits on Jan 8, 2013
  1. @tenderlove

    bumping version

    tenderlove committed Jan 7, 2013
  2. @jeremy @tenderlove
  3. @tenderlove

    * Strip nils from collections on JSON and XML posts. [CVE-2013-0155] …

    …* dealing with empty hashes. Thanks Damien Mathieu
    
    Conflicts:
    	actionpack/CHANGELOG.md
    	activerecord/CHANGELOG.md
    
    Conflicts:
    	actionpack/CHANGELOG.md
    	activerecord/CHANGELOG.md
    	activerecord/lib/active_record/relation/predicate_builder.rb
    tenderlove committed Jan 4, 2013
Commits on Dec 23, 2012
  1. @tenderlove

    bumping to 3.0.18

    tenderlove committed Dec 23, 2012
  2. @tenderlove
  3. @tenderlove

    updating changelogs

    tenderlove committed Dec 22, 2012
Commits on Aug 28, 2012
  1. @rafaelfranca
Commits on Aug 9, 2012
  1. @spastorino

    Merge pull request #7308 from amerine/3-0-stable

    Add html_escape note to CHANGELOG
    spastorino committed Aug 9, 2012
  2. @amerine
  3. @spastorino

    Bump to 3.0.17

    spastorino committed Aug 9, 2012
  4. @spastorino

    Add CHANGELOG entries

    spastorino committed Aug 9, 2012
  5. @spastorino

    Do not mark strip_tags result as html_safe

    Thanks to Marek Labos & Nethemba
    
    CVE-2012-3465
    spastorino committed Aug 8, 2012
  6. @spastorino

    escape select_tag :prompt values

    CVE-2012-3463
    spastorino committed Aug 8, 2012
Commits on Aug 8, 2012
  1. @rafaelfranca
  2. @spastorino @tenderlove

    html_escape should escape single quotes

    https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
    Closes #7215
    
    Conflicts:
    	actionpack/test/controller/new_base/render_template_test.rb
    	actionpack/test/template/asset_tag_helper_test.rb
    	actionpack/test/template/erb_util_test.rb
    	actionpack/test/template/javascript_helper_test.rb
    	actionpack/test/template/template_test.rb
    	activesupport/lib/active_support/core_ext/string/output_safety.rb
    	activesupport/test/core_ext/string_ext_test.rb
    	railties/test/application/assets_test.rb
    spastorino committed with tenderlove Jul 31, 2012
Something went wrong with that request. Please try again.